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(g). Security in data communication systems. 

A data communication system in which messages sent 
between a central processor (10) and message source units 
(14) are enciphered under session keys. Session keys are 
changed for each exchange of messages and the method 
described ensures that a source unit and a central processor 
are using the same key and that the updating of session keys 
is done without the updated key being transmitted through 
the communication medium. 
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SECURITY IN DATA COMMUNICATION SYSTEMS 

This invention relates to improvements in the security of data commu- 
nication systems. The invention finds particular application in electronic 
funds transfer networks such as those dedicated to home banking and the 
preferred embodiment to be described in such an application, although, as 
will become apparent, the invention is not limited to the home banking 
application and may find use in other data communication systems which 
require a similar approach to message authentication and authorisation of 
transactions. 

The use of data communication networks to carry messages relating to 
financial transactions is becoming more common. Cash issuing terminals 
operated by a bank's customer using a magnetic stripe card and having a 
secret number (PIN) and connected on-line to a remote data processing 
machine are now commonplace, automatic teller machines (ATM) which can 
perform more functions than just issue cash are now appearing in banks, 
and there is an economic pressure to reduce the amount of paper work 
(cheque processing, etc.) related to financial transactions. 

Point of sale/electronic funds transfer (POS/EFT) is another development 
in which retailers have terminals connected to a packet switched networks 
and customers have their accounts debited on-line from the retailer's 
terminal whenever a purchase is made. 

A description of a POS/EFT system is found in United Kingdom Patent 
Application No. 8324916 which also describes a system for user and 
message authentication checking. In these systems an electronic funds 
transfer system (EFT) is described in which retail terminals located in 
stores are connected through a public switched telecommunication system 
to card issuing agencies data processing centres. Users of the system 
are issued with intelligent secure bank cards, which include a micropro- 
cessor, ROS and RAM stores, the ROS includes a personal key (KP) and 
an account number (PAN) stored on the card when the issuer issues it to 
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the user. Lsers also have a personal identity number (PIN) which is 
stored or remembered separately. 

A transaction is initiated at a retail terminal when a card is inserted in 
an EFT rcodule connected to the terminal. A request message including 
the PAN and a session key (KS) is transmitted to the issuers data pro- 
cessing centre. The issuer generates an authentication parameter (TAP) 
based upon its stored version of KP and PIN and a time variant parameter 
received from the terminal. The TAP is then returned to the terminal in 
a response message, and based upon an inputed PIN, partial processing 
of the input PIN and KP on the card a derived TAP is compared with the 
received TAP in the terminal. A correct comparison indicating that the 
entered PIN is valid. 

The request message includes the PAN encoded under the KS and KS 
encoded under a cross-domain key. Message authentication codes (MAC) 
are attached to each message and the correct reception and regeneration 
of a MAC on a message including a term encoded under KS indicates that 
the received KS is valid and that the message originated at a valid termi- 
nal or card. 

Other publications describing the prior art in EFT systems are as follows: 

European Patent Publication 32193 (IBM Corporation) describes a system 
in which each user and retailer has a cryptographic key number - retail- 
er's key Kr and user's key Kp - which is stored together with the user's 
account number and retailer's business number in a data store at the host 
central processing unit (cpu.). The retailer's key and the user key are 
used in the encryption of data sent between the retailer's transaction 
terminal and the host cpu. Obviously only users or customers with their 
identity numbers and encryption keys stored at the host cpu can make 
use of the system. As the number of users expands there is an optimum 
number beyond which the time taken to look up corresponding keys and 
identity numbers is unacceptable for on-line transaction processing. 
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The system described is only a single domain and does not involve using 
a personal identification number (PIN)* Verification of the user's identity 
is at the host and without a PIN there is no bar to users using stolen 
cards for transactions. 

European Patent Publication 18129 (Motorola Inc.) describes a method of 
providing security of data on a communication path. Privacy and security 
of a dial-up data communications network are provided by means of either 
a user or terminal identification code together with a primary cipher key. 
A list of valid identification codes and primary cipher key pairs is main- 
tained at the central processing unit. Identification code and cipher key 
pairs, sent to the cpu are compared with the stored code pairs. A 
correct comparison is required before the cpu will accept encoded data 
sent from the terminal. All data sent over the network is ciphered to 
prevent unauthorised access using the relevant user or terminal key. 

The system described is a single domain in which all terminal keys (or 
user keys) must be known at a central host location. Hence, the ideas 
described in the patent do not address a multi-host environment and thus 
are not addressing the interchange problem either. 

UK Patent Application 2,052,513A (At alia Technovations) describes a 
method and apparatus which avoids the need for transmitting user- 
identification information such as a personal identification number (PIN) in 
the clear from station to station in a network such as described in the 
two European Patent Publications mentioned above. The PIN is encoded 
using a randomly generated number at a user station and the encoded PIN 
and the random number are sent to the processing station. At the pro- 
cessing station a second PIN having generic application is encoded using 
the received random number and the received encoded PIN and the 
generic encoded PIN are compared to determine whether the received PIN 
is valid. 
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This system does not use a personal key and as a consequence for a 
sufficiently cryptographically secure system, it is necessary to have a 
PIK with at least fourteen random characters (four bits each). This is a 
disadvantage from the human factor point of view as users will have 
difficulty remembering such a long string of characters and the chances 
of inputting unintentionally an incorrect string is very large. If a 
phrase, which a user can easily remember, is employed for a PIN, about 
28 characters are required. Although remembering the information is not 
a problem, inputting such a long string of data still presents a human 
factors problem. 

The EFT system made possible by the systems described in the above 
patent applications is limited to a single host cpu holding the accounts of 
all users, both retailers end customers. 

An EFT system in which many card issuing organizations (banks, credit 
card companies, etc.) are connected and many hundreds of retail 
organizations are connected through switching nodes such as telephone 
exchanges, brings many more security problems. 

PCT publication Wo 81/02655 (Marvin Sendrow) describes a multi-host, 
rulti-user system in which the PIN is ciphered more than once at the 
entry terminal. The data required to validate and authorise the trans- 
actions is transmitted to a host computer which accesses from its stored 
data base the datr. that is required to decipher and validate the trans- 
action, including the ciphered PIN- A secret terminal master key must be 
maintained at each terminal. A list of these master keys is also main- 
tained at the host computer. 

The maintaining of lists of terminal master keys at each of the card 
issuing organisation's host computers is obviously a difficult task, in a 
complex system where the terminal keys are not controlled and, therefore, 
not known by the card issuing host. 
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European Patent Publication 55580 (Honeywell Information Systems) seeks 
to avoid the necessity of transmitting PIN information in the network by 
performing PIN verification at the entry point terminal. This is achieved 
by issuing each user with a card that has encoded in the magnetic stripe 
the bank identification (BIN), the user's account number (ACCN) and a 
PIN offset number. The PIN offset is calculated from the PIN, BIN and 
ACCN. The user enters the PIN at a keyboard attached to the terminal, 
which also reads the PIN offset, BIN and ACCN from the card. The 
terminal then re-calculates a PIN offset from the user's entered PIN, the 
BIN and ACCN. If the re-calculated PIN offset is the same as the PIN 
offset read from the card then verification of the PIN is assumed. This 
approach has the disadvantage in that the system is not involved in the 
validation and that knowing that the PIN offset is calculated from the 
PIN, the BIN and ACCN, anyone having knowledge of the process can 
manufacture fraudulent cards with valid PINS. 

Advances in microcircuit chip technology has now led to the possibility 
that user cards instead of having user data stored on a magnetic stripe 
can contain a microprocessor with a read only store (ROS). The micro- 
processor is activated when the card is placed in an EFT terminal and the 
appropriate power and data transmission interface connections are made. 
The microprocessor on the card is controlled by control programs stored 
in the ROS. The users and issuers identification can also be stored in 
the ROS together with other information. 

Examples of such cards including a microprocessor are shown in United 
Kingdom patent applications 2, 081, 644 A and 2, 095, 175 A. 

European patent application No. 82306989.3 (IBM) describes a method and 
apparatus for testing the validity of personal identification numbers (PIN) 
entered at a transaction terminal of an electronic funds transfer network 
in which the PIN is not directly transmitted through the network. The 
PIN and the personal account number (PAN) are used to derive an 
authorisation parameter (DAP). A unique message is sent with the PAN 
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to the host processor where the PAN is used to identify a valid 
authorisation parameter (VAP). The VAP is used to encode the message 
and the result (a message authentication code MAC), transmitted back to 
the transaction terminal. The terminal generates a parallel derived 
message authentication code (DM AC) by using the DAP to encode the 
message. The DHAC and MAC are compared and the result of the 
comparison used to determine the validity of the PIN. 

In such a system the generation of' DAP as well as VAP is based on a 
short PIN only and is therefore cryptographically weak. Furthermore, 
the EFT transaction terminal has access to all the information carried on 
the identity card which may be regarded as a security weakness in the 
system- The present invention seeks to overcome such deficiencies by 
storing personal key data in a portable personal processor carried on a 
card and only processing the key data on the card. 

In any multi-domain communication network where such domain includes a 
data processor and in which cryptographically secure transmission takes 
place it is necessary to establish cross domain keys. A communication 
security system in which cross domain keys are generated and used is 
described in United States Patent No. 4,227,253 (IBM). The patent 
describes a communication security system for data transmissions between 
diilc-rent domains of a multiple domain communication network where each 
domain includes a host system and its associated resources of programs 
and communication terminals. The host systems and communication ter- 
minals include data security devices each having a master key which 
permits a variety of cryptographic operations to be performed. When a 
host system in one domain wishes to communicate with a host system in 
another domain, a common session key is established at both host systems 
to permit cryptographic operations to be performed. This is accomplished 
by using a mutually agreed upon cross-domain key known by both host 
systems and does not require each host system to reveal its master key to 
the other host system. The cross domain key is enciphered under a key 
encrypting key at the sending host system and under a different key 
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encrypting key at the receiving host system. The sending host system 
creates an enciphered session key and together with the sending 
cross-domain key performs a transforation function to re-encipher the 
session key under the cross domain key for transmission to the receiving 
host system. At the receiving host system, the receiving host system 
using the cross-domain key and the received session key, perforins a 
transformation function to re-encipher the received session key from 
encipherment under the cross domain key to encipherment under the 
receiving host system master key. With the common session key now 
available in usable form at both host systems, a communication session is 
established and cryptographic operations can proceed between the two 
host systems. 

Reference to the following publications are included as giving general 
background information in encryption techniques and terminology: 

1. IBM Technical Disclosure Bulletin, Vol. 19, No. 11, April 1977 
p 4241, "Terminal Master Key Security" by S. M. Matyas and 
C. H. ft^eyer. 

2. IBM Technical Data Bulletin, Vol. 24, No. IB, June 1981 pp 561-565 
"Application for Personal Key Crypto With Insecure Terminals" by 
R.E. Lennon, S.M. Matyas, C. H. Meyer and R. E. Shuck; 

3. IBM Technical Data Bulletin, Vol. 24, No. 7B, December 1981 
pp 3906-3909 "Pin Protection/ Verification For Electronic Funds 
Transfer" by R. E. Lennon, S. M. Matyas and C. H . Meyer; 

4. IBM Technical Disclosure Bulletin, Vol. 24, No. 12, May 1982, pp 
6504-6509 "Personal Verification and Message Authentication Using 
Personal Keys" by R. E. Lennon, S. M. Matyas and C. H. Meyer; 

5. IBM Technical Disclosure Bulletin, Vol. 25, No. 5, October 1982, pp 
2358-2360 "Authentication With Stored KP and Dynamic P AC" by 

R. E. Lennon, S. M. Matyas and C. H. Meyer; 
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A home banking system may be characterised as a system which has a 
sr.all number of a bank's valued customers as users. Users of the system 
provide their own terminal equipment, for example, a personal computer 
or a television set with a keyboard etc. A set of equipment may well be 
shared by many users of equipment (Home and Office). The system will 
have security requirements that cover the control of access to private 
information, authentication of a series of transactions and authorisation to 
perform that series of transactions. 

According to the present invention there is provided a data communication 
system including a host data processor connected through a communication 
network to a plurality of message source units, each unit including a 
validity module and in which the host data processor for each validity 
module issues and stores an initial current transaction session key, and 
for each user of the system issues and stores an authentication para- 
meter, derived from a first part or identity number, which is stored on a 
user's input device and a second part, or secret number, which is stored 
or remembered separately by the user; 

characterised in that when a transaction is initiated at a message source 
uni: by a user the validity module includes means to construct and 
transmit to the host data processor a first message including the user's 
identity number and a message authentication code based upon the cur- 
rent transaction session key; 

the host data processor includes first means to regenerate a message 
authentication code when a first message is received, and to compare the 
regenerated message authentication code with the received message 
authentication code, 

second means to generate a random or pseudo random key, 

third means to generate a new transaction session key based upon the 
random key, the users authentication parameter and the current session 
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fourth means to construct and transmit to the validity module a second 
message including the user authentication parameter enciphered using the 
current transaction key, and the random key enciphered using the user 
authentication parameter; 

whereby the validity module includes means operable upon receipt of the 
user's second parameter (secret number) to regenerate the user's 
authentication parameter and 

means which upon receipt of the second message can compare the received 
authentication parameter with the regenerated authentication parameter for 
validity of the user's input and using the validated authentication 
parameter can decipher the random key and regenerate and store the new 
transaction session key for use with the next messages transmitted to the 
host data processor. 

In order that the invention may be fully understood a preferred embodi- 
ment thereof will now be described with reference to the accompanying 
drawings in which: 

FIG. 1 is a schematic showing the major components of a home banking 
data communication system. 

FIG. 2 shows in diagrammatic form the component parts of a host bank's 
central processor. 

FIG. 3 shows in decipherment form the component parts of a validity 
module. 

The particular embodiment of the invention relates to security techniques 
to be employed in a 'home banking' system. A bank's data processing 
centre connected to customers through a public switch system (PSS) 
needs to know that messages received from a terminal originate from a 
valid device, i.e. one that that bank has authorised, and that the user is 
a valid user. - - 
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In the preferred embodiment for each terminal -message source unit there 
is a validity module, which may be portable between terminals. Each 
validity module is issued with an identity (VMD), a seed number 
(VMSeedn), an initial transaction key (VMKEYn), the bank identity 
address (HIDD) and a n index number (VMNDX). The bank stores all 
these indexed by VMID. When a user initiates a transaction the terminal 
constructs a first message including VMID and the user's identity UID 
with a message authentication code (MAC1) generated using VM KEYn. 

The bank has for each user a user identity (UID) and a user secret 
number (UPW) (Equivalent to PAN and PIN in other applications). When 
a first message is received the bank data processing centre, uses VMID 
to obtain its own version of V3S KEYn and then regenerates MAC1 and 
compares the received macl with the regenerated MA CI. If this operation 
is successful then a random key (RNKEY) is generated and using the 
RNKEY and the seed VMSeedn with VMID a new transaction session key 
(VM KEY n+1) is generated. A new seed (VM Seed n+1) is also generated 
using the RNKEY and the old seed. 

A second message (MSG2) is created including an authorisation parameter 
(UVP) based upon UID and UPW enciphered using VKSeedn and VMKEYn 
this tern-, is called UAP (user authorisation parameter). The message also 
includes the RNKEY enciphered using UVP, VMSeedn, VMID. 

\%hen the terminal receives MSG2 and the user inputs UPW (PIN) it can 
recreate UVP, and compare the recreated UVP with the receive deciphered 
UVP. The terminal can then decipher RNKEY and recreate its own 
versions of VMKEY n+1 and VM Seednl. The new transaction session key 
and seed are used for the authentication of the next message sent from 
the terminal. 

Using this system an outsider cannot emulate a validity module or pretend 
to be a bank as the critical parameters are changed with each usage of 
the module, thus providing a highly secure system. 
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Features of the invention include the secure updating of session keys, 
the confirmation of validity of each validity module and the confirmation of 
the host validity, by using the authorisation parameter (UVP) itself 
enciphered undor a key which is only used for one message transfer. 

Referring now more particularly to Fig. 1 there is shown in schematic 
form the major components of a home banking system. 

The host data processing centres 10 of banks and similar financial 
institutions are connected through suitable interfaces to a communications 
medium such as a public pocket switched network (PSS) 12. Customers 
or users of the system interact with it through terminal devices 14 which 
are connected to the communications medium. 

The terminal 14 may be a personal computer, a television set with a 
keyboard such as is used for c videotex system, or any other suitable 
input/output display device. The terminals may be directly connected to 
the PSS 12 through modems or be connected through a local node such as 
shown at 16. Each terminal for the home banking system embodying the 
present invention must be capable of interconnecting with a validation 
module (VALMOB). 

A validation module, is one of a variety of physical devices including an 
intelligent secure card, a portable PIN PAD, a complete terminal or a 
logic module intalled in a terminal. 

FIG. 2 shows in diagrammatic form the component parts of a host bank's 
central processor used in the preferred embodiment. The processor 10 
has a control unit 20 which contains the microcode for controlling the 
operations. A store 21 which may be an external disc store or any 
similar device is connected to a transmit-receive module 22. The Tx/Ra 
Module 22 may itself include a modem which is connected to the 
communication medium (PSS 12 FIG. 1). A message authentication 
generator 23, a random number generator 24, a transaction key generator 
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25. a message construction register 26 and an en cipher/ decipher unit are 
connected on a common bus to the store 21 and control unit 20. Incoming 
messages may be routed directly to the store 21 and outgoing messages 
either transmitted directly from the message construction register 26 or 
via the store 21. 

Of course in a multi-processor the units of FIG. 2 may not be separately 
identifiable as the control program will allocate tasks to registers and 
processing units according to the priorities of the operating system. 

FIG. 3 shows in diagrammatic form the component parts of a validity 
module 14. These include a microprocessor 30, a random access store 31, 
a read only store 32 which contains the microcode control for the module 
ar.d an en cipher-decipher unit 33. A common bus connects the units to a 
transmit-receive unit 34. Messages are initially generated and stored in 
the random access store 31 before transmission to the Tx/Rx unit 34. 
Received messages are stored before the uiiit operates on them. 

A validity module itself may not include all the component parts of FIG. 
3. For example the Tx/Rx unit 34 and the microprocessor 30 may be 
urits of a terminal to which the validity module is connected for the 
transaction to take place. 

The system operates in the following manner. The financial institution or 
bank issues validation modules (VALMODS) to its patrons or locations 
from which patrons may wish to interact with that particular issuer's 
system (e.g. Bank Branches). The VALMODS may therefore be shared 
Enong many patrons or moved between locations, and the patrons may use 
any module issued by the financial institution. Patrons requiring access 
to data at the host system of the institution are issued with a user 
identity number (UID) and a secret user password (UPW) and must use a 
validation module also issued by that institution. In a banking context 
the UID is equivalent to a personal account number (PAN) and the 
password is equivalent to aTpersoiial identity number (PIN) . 
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A VALMOD is supplied with the following information stored within it. 
Issuing a V alidation Moduli* 

The VALMOD is supplied with the following information stored within it. 

(a) VALMOD identity (VMID) 

(b) A secret hexadecimal data value (VM Seed n) 

(c) A secret encipherment key value (VM Key n) 

(d) An index number set to zero (VMNDX = n) 

(e) The identity of the user host (HIID). this could be a PSS 
network usei address for example. 

This information is also stored at the host site indexed by VMID The 
secret data would normally be protected at the host by encipherment 
under a data enciphering key DKey in the form E^rvM Seed n). The 
secret key will be store enciphered under the host mSter key at the host 
site in the form E HMKQ VM Key n). 

DID is determined by the organisation and acts as an index into its user 
data bank. UPW is a random number generated by the organisation for 
use with that specific UID. The UID and UPW are provided to the user 
under separate cover. The two values are combined to form a user 
vahdafcon parameter of 8 hexadecimal bytes (UVP). The form of combina- 
faon is not important so long as information is not lost, and the function 
is reproducable on demand. UVP is stored at the host site as an enci- 
pherment key in the for ^(UVP), and is indexed by the UID. 

Using the System 

1- A user approaches the VALUOD and provides his UID (e.g. via a 
magnetic stripe card or a keyboard) the VALMOD stores this UID. 
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2. The VALIKOD compiles a message including ftiSGl containing HUD 
XMID VMPAR (0 or 1 depending upon the parity of VMNDX) and UID. 

3. The VALMOD generates a message authentication code MAC1 for 
MSG1 using VM Key n. 

4. MSG1,MAC1 is then sent to the issuer. 

5* If the parity of VMNDX is correct, the issuer generates MAC1 of 
reference using the received 7.1SG1 and the stored VM Key n (otherwise 
the issuer uses the old values VM Key n-1 and VM Seed n-1). If the 
reference is not the same as the received i:ACl the transaction is 
aborted . 

6. If MAC1 is valid then the issuer checks the UID, if this is valid 
then the issuer randomly generates an encryption key RNKey. 



a) 


VM Seed n+1 


= E RNKey (VM Seed n) 


b) 


Vhi Key n+1 


= Dri^ey^ 1 Seed nGVMID) 


c) 


UAP 


= E VMKeyn (EUVP <VMSEED R » 


d) 


UAKEY 


= E (EUVp (VRISEEDnGVMID) 
VRiKeyn 


e) 


KEWKEY 


= E UAKEY (RNKEY) 



The issuer stores items a and b and discards item d. 

7. The issuer compiles a message KSG2 including UAP and NEW KEY 
and appends a message authentication code MAC2 for RISG2 using 
V21 KEY n. 

S. The issuer sends RiSG2,MAC2 to the VALMOD which validates MAC2 
using the stored VM KEYn. If the validation fails the transaction is 
aborted- 
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9. The VAU,GB requests the UPW of the user. Combines this with the 
stored UID to create e UVP to be validated. 

10. The VALMOD generates UAP of reference using its UVP and stored 
VM KEYn as in step 9c. If this is not the same as the received DAP 
then the transaction is aborted. 

11. The VALMOD generates UAKEY as in step 9d using the validated 
UVP and stored VMSEEDn. It uses UAKEY to decipher the received 
NEWKEY to obtain RNKEY. 

12. The VALMOD uses the stored VMSEEDn and the received RNKEY to 
generate VMSEEDn+1 and VMKEYn+1 as in steps 9a and 9b. These 
replace VMSEEDn and VMKEYn in the VALMOD and VMNDX is incremented 
by one. 

13. The VALMOD generates a confirmation message MSG3 including the 
contents of R1SG1 but with an authentication code for MSG3 generated 
using VMKEYn+1. This is sent to the issuer. 

14. Upon receipt of this the issuer validates MAC 3 using the stored 
VMKEYn+1, if this fails the transaction is aborted and the VALMOD is 
declared out of synchronisation (it cannot be used again until reissued). 

15. The issuer now replaces VMSEEDn with VMSEEDn+1 and VMKEYn 
with VMKEYn+1 each enciphered under the appropriate keys. 

The outcome of this operation is that the VALMOD has performed a 

synchraidsed chaneo of its secret cist, a with The issuer only on the 

a) The VALMOD is valid and already synchronised 

b) The user is valid and authentic 
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Proof of these conditions being met are provided in A2AC3. 
Inplications 

The recording of messages between VALMOC and Issuer will not enable an 
outsider to emulate the VALMGD or pretend to be an issuer as the critical 
parameters (VMSEED and VHKEY) are changed in each usage of the 
VALHOD. This provides for a highly secure system. 

The receipt of MSSG3 provides access to the user of all legitimate user 
data and facilities at the issuer host via the user's own terminal. A 
series of draft transactions are performed and checked by the terminal 
user. This communication is authenticated by generating MACS using 
VMKEYn+1. 



Upon completion of all desired work, it is necessary to obtain the 
authority of the customer to transact the draft transactions. This is 
done by a 'completed' message being sent to the issuer. This results in 
another iteration of the VALMCD bequence including re-entry of the PIN 
(UPW). 

Receipt of &SSG3 authenticated now using VM KEY n+2 (newly agreed) is 
the issuer's authority to proceed. An acknowledgement to this effect 
authenticated in VMKEY3 would be returned to the user's terminal. 

Issuing the UID and UPW 

The following table illustrates the above method by showing the items 
stored and generated at the VALMOD and host processors during the 
operation of a transaction session and the composition of the Messages 
MSG1, MSG2, and KSG3 relating to the validation. 
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Initially 

Stored at VALMOD 



Stored at Host 



VMID 

VM Seed n 
VM Key n 
VMNDX 



VMID 



VM Seed n 



VM Key n 
VMNDX 



HIID 



UID 



HIID 



UVP 



Entered 
UID 

MSG1 includes [HIID, VMID, VMPAR (based upon \TiiKDX) 
UID, MAC1 (bused upon V.Yi Key n)J 
Sent from VALMOD to Host 



MSG2 includes [VMID, UAP (based upon VM Key n, 
VM Seed n (UVP)), New Key (based upon 
UA Key, RN Key (UVP)), MAC2 (based upon 
VM Key n)] 

Sent from Host to VALMOD. 
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Host generate 

MAC1 

UN Key 

VM Seed n+1 

VM Key n+1 

UAP 

UA Key 

New Key 
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VAI.r.JCD generates from entered UPW 

UVP 

UAP 

UA Key 

RN Key 

VM Seed n+1 

VM Key n+1 

MSG3 includes [HID, VMID, VMPAR, DID, MAC3 
(based upon VM Key n+1)] 
Sent froir, VALMOD to Host. 

Both VAIJiiOD and Host now store VM Seed n+1 and VM Key n+1. 

At no stape are the new seeds and keys Vf.i Seed n+1 and VM Key n+1 
available outside the VAUViOD and host computer. 
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CLAIMS 

1. A data communication system including a host data processor 
connected through a communication network to a plurality of message 
source units, each unit including a validity module and in which the host 
data processor for each validity module issues and stores an initial 
current transaction session key, and for each user of the system issues 
and stores an authentication parameter, derived from a first part or 
identity number, which is stored on a user's input device and a second 
part, or secret number, which is stored or remembered separately by the 
user; 

characterised in that when a transaction is initiated at a message source 
unit by a user the validity module includes means to construct and 
transmit to the host data processor a first message including the user's 
identity number and a message authentication code based upon the cur- 
rent transaction session key; 

the host data processor includes first means to regenerate a message 
authentication code when a first message is received, and to compare the 
regenerated message authentication code with the received message 
authentication code, . 

second means to .generate a random or pseudo random key, 

third means to generate a new transaction session key based upon the 
random key, the users authentication parameter and the current session 
key , 

fourth means to construct and transmit to the validity module a second 
message including the user authentication parameter enciphered using the 
current transaction key, and the random key enciphered using the user 
authentication parameter; 
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whereby the validity module includes means operable upon receipt of the 
user's second parameter (secret number) to regenerate the user's 
authentication parameter and 

means which upon receipt of the second message can compare the received 
authentication parameter with the regenerated authentication parameter for 
validity of the user's input and using the validated authentication 
parameter can decipher the random key and regenerate and store the new 
transaction session key for use with the next messages transmitted to the 
host data processor. 

2. A data communication system as claimed in claim 1 in which the 
message source units include portable validity modules. 

3. A method of updating session encipher keys in a data communication 
system in which a host data processor is connected throu gh a 
communication network to a plurality of message source units, each unit 
including a validity module and in which the host data processor for each 
validity module issues and stores an initial current transaction session 
key, and for each user of the system issues and stores an authentication 
parameter, derived from a first part or identity number, which is stored 
on a user's input device and a second part, or secret number, which is 
stored or remembered separately by the user; 

a) including the steps of when a transaction is initiated at a message 
source unit by a user the validity module constructing and transmitting to 
the host data processor a first message including the user's identity 
number and a message authentication code based upon the current 
transaction session key; 

b) at the host data processor regenerating a message authentication 
code when a first message is received, and comparing the regenerated 
message authentication code with the received message authentication 
code, — 
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c) generating a random or pseudo random key, 

d) generating a new transaction session key based upon the random 
key, the user's authentication parameter and the current session key, 

e) constructing arid transmitting to the validity module a second 
message including the user authentication parameter enciphered using the 
current transaction key, and the random key enciphered using the user 
authentication parameter; 

f) at the validity module regenerating upon receipt of the user f s second 
parameter, the user's authentication parameter and 

g) upon i*eceipt of the second message comparing the received 
authentication parameter with the regenerated authentication parameter for 
validity of the user's input and using the validated authentication 
parameter to deciphering the random key and regenerating and store the 
new transaction session key for use with the next messages transmitted to 
the host data processor. 

4. A method of updating session encipher keys as claimed in claim 3 in 
which the message source units include portable validity modules. 
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